Published: |
The following are unfinished notes for a presentation I am giving at Boston Linux and Unix on 15 June 2022.
Unfortunately, I was not able to get Let's Encrypt working in my demo environment and I had to stop and save what I have, so I can present.
Agenda for the live presentation:
Hopefully I can follow up by the middle of July with a fixed version of my original version of this howto document.
This howto makes the following assumptions. If your environment or preferences are different, adjust accordingly:
nano
to edit text filesFor local name resolution, I find it's helpful to install Ubuntu's avahi-daemon
package.
sudo apt install avahi-daemon
You'll need an Avahi or Zeroconf or Bonjour daemon installed on each client machine that you'll be using for system administration. On Windows, to get Apple's Bonjour client, I downlaoded an Itunes installer and extracted the bonjour installer from inside it, and ran that.
Alternatively, you can edit your /etc/hosts
or C:\Windows\System32\drivers\etc\hosts
file on your sysadmin client machine, and enter the server's IP address.
For my servers, I like to have all my stored data encrypted. Ubuntu allows you to setup full disk encryption during installation, but it assumes that you have access to a hardware console to unlock the encryption, every time you reboot the server.
My approach is different. I use Gocryptfs to unlock an encrypted overlay filesystem after the system is partially booted up. After I unlock storage, Systemd resumes startup and launches all normal multiuser.target
services.
if you do not want to use disk encryption, skip this whole section and the next one about Send Email After Reboot. Go to MariaDB.
# Install Gocryptfs.
sudo apt install gocryptfs
# Create Gocryptfs container.
sudo mkdir -p /srv/priv.encrypted /srv/priv
sudo gocryptfs --init /srv/priv.encrypted
Choose a password for protecting your files.
Password:
Repeat:
Your master key is:
322e4d53-6729ec11-3b5a6c34-f881d697-
3d653e84-e2e1348c-df6c6a33-ccb8a556
If the gocryptfs.conf file becomes corrupted or you ever forget your password,
there is only one hope for recovery: The master key. Print it to a piece of
paper and store it in a drawer. This message is only printed once.
The gocryptfs filesystem has been created successfully.
You can now mount it using: gocryptfs /srv/priv.encrypted MOUNTPOINT
Don't ignore the warning about the password. DO NOT LOSE your encryption password; if you lose it, there is no possible way to recover it except by guessing.
# Test mounting the container.
sudo gocryptfs /srv/priv.encrypted /srv/priv
Password:
Decrypting master key
The option "-allow_other" is set. Make sure the file permissions protect your data from unwanted access.
Filesystem mounted and ready.
# Add to fstab.
sudo nano /etc/fstab
/etc/fstab
# Add this to the end...
# encrypted storage
/srv/priv.encrypted /srv/priv fuse./usr/bin/gocryptfs noauto,allow_other 0 0
# Test mounting via fstab.
sudo umount /srv/priv
sudo mount /srv/priv
You should see "Filesystem mounted and ready" again.
The next few steps setup Systemd only boot up enough to start sshd
and then pause and wait for you to unlock encryption before starting everything else.
These steps assume that all of your service daemons (except for SSH) depend on encrypted storage.
All of the daemon launches are deferred until after you login and unlock the encrypted storage.
sudo nano /etc/systemd/system/before-decrypt.target
/etc/systemd/system/before-decrypt.target
[Unit]
Description=System before Decryption
Requires=basic.target
Conflicts=rescue.service rescue.target
After=basic.target rescue.service rescue.target
AllowIsolate=yes
# Setup symlinks to before-decrypt required services
sudo su
mkdir /etc/systemd/system/before-decrypt.target.wants
cd /etc/systemd/system/before-decrypt.target.wants
for i in /lib/systemd/system/multi-user.target.wants/* ; do
ln -s /lib/systemd/system/$(basename $i) .
done
ln -s /etc/systemd/system/syslog.service .
ln -s /lib/systemd/system/ssh.service .
exit
sudo nano /etc/systemd/system/decrypt.target
/etc/systemd/system/decrypt.target
[Unit]
Description=Decrypted System
Requires=before-decrypt.target
After=before-decrypt.target
Conflicts=systemd-ask-password-console.path systemd-ask-password-console.service systemd-ask-password-plymouth.path systemd-ask-password-plymouth.service
Requires=srv-priv.mount start-full-system.service
sudo nano /etc/systemd/system/start-full-system.service
/etc/systemd/system/start-full-system.service
[Unit]
Description=Start full system after decryption
After=decrypt.target
[Service]
Type=oneshot
ExecStartPre=/bin/systemctl is-active --quiet decrypt.target
ExecStart=/bin/systemctl --no-block start multi-user.target
sudo touch /usr/local/bin/unlock-priv
sudo chmod +x /usr/local/bin/unlock-priv
sudo nano /usr/local/bin/unlock-priv
/usr/local/bin/unlock-priv
#!/bin/bash
if findmnt /srv/priv >/dev/null; then
Already unlocked
exit
fi
echo -
echo - Unlocking /srv/priv
sudo mount /srv/priv
if ! findmnt /srv/priv >/dev/null; then
exit
fi
echo -
echo - Binding encrypted folders elsewhere in the filesystem
# (To be filled in later when setting up individual services)
echo -
echo - Resuming system startup
sudo systemctl start decrypt.target
To test it, reboot and then login and run unlock-priv
sudo unlock-priv
-
- Unlocking /srv/priv
Password:
Decrypting master key
The option "-allow_other" is set. Make sure the file permissions protect your data from unwanted access.
Filesystem mounted and ready.
-
- Binding encrypted folders elsewhere in the filesystem
-
- Resuming system startup
Later on in this guide we'll create data folders for services and move them to the encrypted volume.
If you use my encrypted storage setup, you'll want to be notified by email when the server has been rebooted, so that your services that depend on encrypted storage aren't stuck offline.
You will need an email provider that provides SMTP access. Check your email provider's documentation.
# Install msmtp
sudo apt install msmtp
# Disable Apparmor's profile for msmtp
sudo ln -s /etc/apparmor.d/usr.bin.msmtp /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.msmtp
# (You might get an error saying the profile doesn't exist. Ignore that.)
# Configure msmtp
sudo mkdir -p /root/.config/msmtp
sudo nano /root/.config/msmtp/config
/root/.config/msmtp/config
defaults
port 587
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
account systemnotices
host FIXME
from FIXME@example.com
auth on
user FIXME
password FIXME
account default : systemnotices
Change the from
value to your own email address.
# Create a script to send a one-line email from CLI parameters
sudo touch /usr/local/bin/mail-sysadmin-oneline
sudo chmod +x /usr/local/bin/mail-sysadmin-oneline
sudo nano /usr/local/bin/mail-sysadmin-oneline
/usr/local/bin/mail-sysadmin-oneline
#!/bin/bash
email=FIXME@example.com
subject=$1
body=$2
#cat <<ENDSYSADMINMAIL
msmtp -- $email <<ENDSYSADMINMAIL
To: $email
Subject: [tulip] $subject
$body
ENDSYSADMINMAIL
Change the email
value to your own email address and change tulip
in the Subject to the name you've given your server.
# Test sending one email
sudo mail-sysadmin-oneline "test!"
# You should get an email.
# Make a systemd service to send mail after reboot
sudo nano /etc/systemd/system/mail-on-reboot.service
/etc/systemd/system/mail-on-reboot.service
[Unit]
Description=Email After Reboot
DefaultDependencies=no
After=network-online.target
Wants=network.target network-online.target
[Service]
Type=oneshot
# send message "rebooted"
ExecStart=/bin/bash /usr/local/bin/mail-sysadmin-oneline rebooted
[Install]
WantedBy=default.target
sudo systemctl enable mail-on-reboot.service
Reboot to test it. You should get an email when the system is ready for you to SSH in.
Really, don't forget after every reboot now, you need to SSH in and run
unlock-priv
.
Now you're ready to install MariaDB, SeaFile, and Collabora Office Online!
We use MariaDB for Seafile's metadata storage.
# Install MariaDB
sudo apt install mariadb-server mariadb-client
If you are using encrypted storage as described above, now you should move your MariaDB data folder to encrypted storage.
sudo systemctl stop mariadb sudo mkdir -p /srv/priv/var/lib sudo mv /var/lib/mysql /srv/priv/var/lib/mysql sudo mkdir /var/lib/mysql sudo chown mysql.mysql /var/lib/mysql sudo nano /etc/fstab # add the following line, and save
/srv/priv/var/lib/mysql /var/lib/mysql none noauto,bind 0 0
sudo nano /usr/local/bin/unlock-priv
/usr/local/bin/unlock-priv
# Add the following after "echo - Binding encrypted folders..." sudo mount /var/lib/mysql
# And finally, mount the bound folder and restart MariaDB. sudo mount /var/lib/mysql sudo systemctl start mariadb
# Create MariaDB user and two databases for Seafile
sudo mysql
create database seafile;
create database seafile_hub;
create database seafile_ccnet;
create user 'seafile'@'localhost' identified by 'FIXME';
grant all privileges on seafile.* to 'seafile'@'localhost';
grant all privileges on seafile_hub.* to 'seafile'@'localhost';
grant all privileges on seafile_ccnet.* to 'seafile'@'localhost';
Don't forget to fill in the FIXME
value for the password. You should use a unique password just for Seafile's databases, and make a note of it so you can fill it in in the next steps.
Seafile and Collabora LibreOffice Online work best if you are using a public Internet hostname and HTTPS protocol to access them, even if you are connecting from inside the same private network.
Afraid.org provides free DNS names to resolve a hostname to your public IP address. The free service plan includes up to 5 hostnames.
Repeat the steps again -- you will need a second hostname for the Collabora LibreOffice Online application. I recommend you use the same subdomain, but with an added -cool
. Example: tulip-cool.ignorelist.com
You may have to wait 5 to 10 minutes after you create the hostname before you can use it. Try pinging your hosname every few minutes, until you find that the name resolves.
ping tulip.ignorelist.com
...
ping tulip-cool.ignorelist.com
You probably have a dynamic IP address set by your ISP. You might want to install a Dynamic DNS updater on your server or on your home router to update Afraid.org every time your IP address changes. See FAQ Question #2 on Afraid.org's web site for more deatils on this process.
These steps are based on the Install using MySQL instructions from Seafile.
# Install Seafile prerequisite Ubuntu packages
sudo apt-get install python3 python3-setuptools python3-pip build-essential python3-dev \
libmemcached-dev libmariadb-dev-compat python3-pymysql
# Install Seafile prerequisite PyPI packages
sudo pip3 install --timeout=3600 Pillow pylibmc captcha jinja2 sqlalchemy==1.4.3 \
django-pylibmc django-simple-captcha python3-ldap mysqlclient
# Create a system user for Seafile
sudo adduser seafile
# Fill in the new password prompt, and you can leave the rest of the fields blank.
# Download and unpack Seafile
sudo su - seafile
mkdir -p ~/seafile/installed
cd ~/seafile/installed
# Get the URL for "Server for generic Linux" from https://www.seafile.com/en/download/
# Fill it in here for URL
wget URL
cd ~/seafile
tar zxf ~/seafile/installed/seafile-server_*.tar.gz
cd seafile-server-*
./setup-seafile-mysql.sh
Some notes about how to fill out the options in the setup wizard:
"seafile file server" is the back-end API server. "seahub" is the main HTTP server that serves web pages for the app.
After the setup wizard is done, it tells you the ports for "seafile file server" and "seahub". It didn't ask you for the port number for "seahub"; it just assumed port 8000.
If you want to change either of the ports, find them here:
- seafile file server (back-end API server)
~/seafile/conf/seafile.conf
βport
- seahub (front-end server)
~/seafile/conf/gunicorn.conf.py
βbind
(change the port number after ":
")
My Seafile instance doesn't work right unless I hard-code my public URL into ~/seafile/conf/ccnet.conf
and ~/seafile/conf/seahub_settings.py
.
~/seafile/conf/ccnet.conf
# Add the following two lines at the top:
[General]
SERVICE_URL = https://tulip.ignorelist.com/
~/seafile/conf/seahub_settings.py
# Add the following before the "DATABASES" value:
SERVICE_URL = 'https://tulip.ignorelist.com' # fill in your DNS name
FILE_SERVER_ROOT = 'https://tulip.ignorelist.com/seafhttp' # fill in your DNS name
Next, create Systemd services for Seafile:
If you are logged into a shell as seafile
, you can't run admin commands. Use the exit
to get back to the shell of your admin user.
sudo nano /etc/systemd/system/seafile.service
/etc/systemd/system/seafile.service
[Unit]
Description=Seafile
# add mysql.service or postgresql.service depending on your database to the line below
After=network.target mariadb.service
[Service]
Type=forking
ExecStart=/home/seafile/seafile/seafile-server-latest/seafile.sh start
ExecStop=/home/seafile/seafile/seafile-server-latest/seafile.sh stop
LimitNOFILE=infinity
User=seafile
Group=seafile
[Install]
WantedBy=multi-user.target
sudo nano /etc/systemd/system/seahub.service
/etc/systemd/system/seahub.service
[Unit]
Description=Seafile hub
After=network.target seafile.service
[Service]
Type=forking
# change start to start-fastcgi if you want to run fastcgi
# change the port in the next line if you are using a different port for seahub
ExecStart=/home/seafile/seafile/seafile-server-latest/seahub.sh start 8000
ExecStop=/home/seafile/seafile/seafile-server-latest/seahub.sh stop
User=seafile
Group=seafile
[Install]
WantedBy=multi-user.target
sudo systemctl enable seafile seahub
sudo systemctl start seafile seahub
If you are using encrypted storage as described above, now you should move your Seafile data folder to encrypted storage.
sudo systemctl stop seafile seahub sudo mkdir -p /srv/priv/home sudo mv /home/seafile /srv/priv/home/seafile sudo mkdir /home/seafile sudo chown seafile.seafile /home/seafile sudo nano /etc/fstab # add the following line, and save
/srv/priv/home/seafile /home/seafile none noauto,bind 0 0
sudo nano /usr/local/bin/unlock-priv
/usr/local/bin/unlock-priv
# Add the following after "echo - Binding encrypted folders..." sudo mount /home/seafile
# And finally, mount the bound folder and restart MariaDB. sudo mount /home/seafile sudo systemctl start seafile seahub
And finally, create your admin user:
sudo su - seafile
~/seafile/seafile-server-latest/reset-admin.sh
# fill in email address and password
Seafile is almost ready to use, but you have to configure Apache web server in front of it next.
You will need to setup a forwarded port from your home modem or router to the internal IP address of your server. Look in your router's documentation.
In my Verizon FIOS router, under Advanced
settings, there is a Security & Firewall β Port Forwarding
page. Here you see that I mapped ports 80 and 443 to my home file server.
# Install Apache
sudo apt install apache2
# Enable mod_proxy_http and mod_rewrite
sudo a2enmod proxy_http proxy_wstunnel rewrite
sudo systemctl restart apache2
# Setup a self-signed certificate
# Change 'tulip.ignorelist.com' to your main hostname from Afraid.org.
sudo openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ssl/private/tulip.ignorelist.com.key -out /etc/ssl/private/tulip.ignorelist.com.crt
# Fill in anything for most fields. "Common Name" must be the exact DNS name.
# Repeat for your '-cool' hostname:
sudo openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ssl/private/tulip-cool.ignorelist.com.key -out /etc/ssl/private/tulip-cool.ignorelist.com.crt
Now edit your "-le-ssl.conf" file (example tulip-le-ssl.conf
) and fill in the Seafile proxy configuration:
# Create a site file listening on a particular hostname
sudo nano /etc/apache2/sites-available/tulip.conf # (Use your Seafile service short name here)
/etc/apache2/sites-available/tulip.conf
<VirtualHost *:80>
# Fill in your Seafile DNS name from Afraid.org
ServerName tulip.ignorelist.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =tulip.ignorelist.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
# Fill in your Seafile DNS name from Afraid.org
ServerName tulip.ignorelist.com
SSLEngine on
SSLCertificateFile /etc/ssl/private/tulip.ignorelist.com.crt
SSLCertificateKeyFile /etc/ssl/private/tulip.ignorelist.com.key
Alias /media /home/seafile/seafile/seafile-server-latest/seahub/media
<Location /media>
Options FollowSymLinks
Require all granted
</Location>
RewriteEngine On
# seafile fileserver - fill in "seafile file server" port from Seafile config (default 8082)
ProxyPass /seafhttp http://127.0.0.1:8082
ProxyPassReverse /seafhttp http://127.0.0.1:8082
RewriteRule ^/seafhttp - [QSA,L]
# seahub server - fill in "seahub" port from SEafile config (default 8000)
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
ProxyPreserveHost On
ProxyPass / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
</VirtualHost>
# Create another one for Collabora LibreOffice Online
sudo nano /etc/apache2/sites-available/tulip-cool.conf # (Use your Seafile service short name here)
/etc/apache2/sites-available/tulip-cool.conf
<VirtualHost *:80>
# Fill in your Collabora LibreOffice Online DNS name from Afraid.org
ServerName tulip-cool.ignorelist.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =tulip.ignorelist.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
# Fill in your Collabora LibreOffice Online DNS name from Afraid.org
ServerName tulip-cool.ignorelist.com
SSLEngine on
SSLCertificateFile /etc/ssl/private/tulip-cool.ignorelist.com.crt
SSLCertificateKeyFile /etc/ssl/private/tulip-cool.ignorelist.com.key
AllowEncodedSlashes NoDecode
ProxyPreserveHost On
# static html, js, images, etc. served from coolwsd
# browser is the client part of Collabora Online
# !! You can change port 8003 to whatever port you will use for COOL:
ProxyPass /browser http://127.0.0.1:8003/browser retry=0
ProxyPassReverse /browser http://127.0.0.1:8003/browser
# WOPI discovery URL
ProxyPass /hosting/discovery http://127.0.0.1:8003/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery http://127.0.0.1:8003/hosting/discovery
# Capabilities
ProxyPass /hosting/capabilities http://127.0.0.1:8003/hosting/capabilities retry=0
ProxyPassReverse /hosting/capabilities http://127.0.0.1:8003/hosting/capabilities
# Main websocket
ProxyPassMatch "/cool/(.*)/ws$" ws://127.0.0.1:8003/cool/$1/ws nocanon
# Admin Console websocket
ProxyPass /cool/adminws ws://127.0.0.1:8003/cool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /cool http://127.0.0.1:8003/cool
ProxyPassReverse /cool http://127.0.0.1:8003/cool
# Compatibility with integrations that use the /lool/convert-to endpoint
ProxyPass /lool http://127.0.0.1:8003/cool
ProxyPassReverse /lool http://127.0.0.1:8003/cool
</VirtualHost>
# Enable the sites
sudo a2ensite tulip tulip-cool
sudo systemctl restart apache2
Now Seafile should be accessible at https://tulip.ignorelist.com on your client machine (where tulip.ignorelist.com
is your DNS name from Afraid.org).
On EVERY CLIENT, before you use either of the sites, you must do the following:
- Go to https://tulip.ignorelist.com in your browser (fill in your main hostname).
- Navigate through the warning about the self-signed certificate, and accept the certificate.
- Go to https://tulip-cool.ignorelist.com (fill in your COOL hostname).
- Accept the certificate in the same way.
Here is a screenshot of the self-signed certificate warning in Firefox-descended browsers:
We will install the Ubuntu packages for Collabora LibreOffice Online. Following the Collabora Online "Install from packages β Ubuntu 22.04" documentation:
cd /usr/share/keyrings
sudo wget https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg
sudo tee /etc/apt/sources.list.d/collaboraonline.sources << EOF
Types: deb
URIs:https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-ubuntu2204
Suites: ./
Signed-By: /usr/share/keyrings/collaboraonline-release-keyring.gpg
EOF
sudo apt update
sudo apt install coolwsd code-brand
Based on the configuration documentation, edit your Collabora LibreOffice Online config file.
sudo nano /etc/coolwsd/coolwsd.xml
/etc/coolwsd/coolwsd.xml
<!-- in the "net" section... -->
<net...>
<!-- change "proto" to IPV4 -->
<!-- <proto type="string" default="all" desc="Protocol to use IPv4, IPv6 or all for both">all</proto> -->
<proto type="string" default="all" desc="Protocol to use IPv4, IPv6 or all for both">IPv4</proto>
<!-- change "listen" to only on loopback address -->
<!-- <listen type="string" default="any" desc="Listen address that coolwsd binds to. Can be 'any' or 'loopback'.">any</listen> -->
<listen type="string" default="any" desc="Listen address that coolwsd binds to. Can be 'any' or 'loopback'.">loopback</listen>
<!-- in the "ssl" section... -->
<ssl...>
<!-- Disable TLS (on the back-end) -->
<!-- <enable type="bool" desc="Controls whether SSL encryption between coolwsd and the network is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">true</enable> -->
<enable type="bool" desc="Controls whether SSL encryption between coolwsd and the network is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">false</enable>
<!-- Enable usage behind proxy server -->
<!-- <termination desc="Connection via proxy where coolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination> -->
<termination desc="Connection via proxy where coolwsd acts as working via https, but actually uses http." type="bool" default="true">true</termination>
# Install coolwsd service
sudo cp /usr/lib/systemd/system/coolwsd.service /etc/systemd/system/coolwsd.service
# Add a port number
sudo nano /etc/systemd/system/coolwsd.service
/etc/systemd/system/coolwsd.service
# Edit this line...
# Fill in the port you used in the "-cool" Apache config file.
ExecStart=/usr/bin/coolwsd --version --o:sys_template_path=/opt/cool/systemplate --o:child_root_path=/opt/cool/child-roots --o:file_server_root_path=/usr/share/coolwsd --port=8003
# Set password and install service
sudo coolconfig set-admin-password
sudo systemctl stop coolwsd
sudo systemctl disable coolwsd
sudo systemctl enable coolwsd
sudo systemctl start coolwsd
sudo su - seafile
nano ~/seafile/conf/seahub_settings.py
~/seafile/conf/seahub_settings.py
# Add to the end...
OFFICE_SERVER_TYPE = 'CollaboraOffice'
ENABLE_OFFICE_WEB_APP = True
OFFICE_WEB_APP_BASE_URL = 'https://cool.glump.net/hosting/discovery'
WOPI_ACCESS_TOKEN_EXPIRATION = 5 * 60 * 60 # seconds
OFFICE_WEB_APP_FILE_EXTENSION = (
'odp', 'ods', 'odt', 'xls', 'xlsb', 'xlsm', 'xlsx','ppsx', 'ppt', 'pptm', 'pptx', 'doc', 'docm', 'docx'
)
ENABLE_OFFICE_WEB_APP_EDIT = True
OFFICE_WEB_APP_EDIT_FILE_EXTENSION = (
'odp', 'ods', 'odt', 'xls', 'xlsb', 'xlsm', 'xlsx','ppsx', 'ppt', 'pptm', 'pptx', 'doc', 'docm', 'docx'
)
exit # logout as Seafile user
sudo systemctl restart seahub
This policy contains information about your privacy. By posting, you are declaring that you understand this policy:
This policy is subject to change at any time and without notice.
Reader-contributed comments on Glump.net are owned by their original authors, who reserve all rights.
Comments rules:
Comments